From martin.pitt@canonical.com Thu Aug 11 13:52:26 2005 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Thu, 11 Aug 2005 15:13:20 +0200 Subject: [USN-165-1] heartbeat vulnerability =========================================================== Ubuntu Security Notice USN-165-1 August 11, 2005 heartbeat vulnerability CAN-2005-2231 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: heartbeat The problem can be corrected by upgrading the affected package to version 1.2.2-8ubuntu0.1 (for Ubuntu 4.10), or 1.2.3-3ubuntu1.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Eric Romang discovered that heartbeat created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with root privileges as soon as heartbeat is started. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1.diff.gz Size/MD5: 7876 1f219e99881df0996134000f855d9339 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1.dsc Size/MD5: 862 9960ee62482cf244096c1601c34165b9 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2.orig.tar.gz Size/MD5: 1565941 2f6f177c7aebba34ba45a68deac41e37 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/ldirectord_1.2.2-8ubuntu0.1_all.deb Size/MD5: 42844 3b756503c8d809836c42b3c970169395 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.2-8ubuntu0.1_amd64.deb Size/MD5: 123274 c7329aa36efadfe9999182454564dafb http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1_amd64.deb Size/MD5: 531238 c51bea450bb848ca9defb2a600cbf0b5 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.2-8ubuntu0.1_amd64.deb Size/MD5: 59356 bfa043d078ed4bb91dc5e1b3ad693bb1 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.2-8ubuntu0.1_amd64.deb Size/MD5: 49984 84e9798bbd2aa172f36d77aeaac40ac2 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.2-8ubuntu0.1_amd64.deb Size/MD5: 27500 fd0da8672d36b78f07bd774fbb7205c1 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.2-8ubuntu0.1_amd64.deb Size/MD5: 77628 b139b2a9b9c67cc4e4b0f7eea86dbc2d http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.2-8ubuntu0.1_amd64.deb Size/MD5: 28552 50c25e035a9afac9b95e54407aca8694 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.2-8ubuntu0.1_i386.deb Size/MD5: 112756 d0df067b1a8bc319b533a1f1fb94a13e http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1_i386.deb Size/MD5: 488994 fae2904a2a8cba2452c2e12ae705c3bd http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.2-8ubuntu0.1_i386.deb Size/MD5: 55508 3a9f5a7add62fc072e1647fe18452e54 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.2-8ubuntu0.1_i386.deb Size/MD5: 44938 11a6e9877e2e4d409eaece584681a9d5 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.2-8ubuntu0.1_i386.deb Size/MD5: 27100 a470eea4e239627cb26a47c67d0a206f http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.2-8ubuntu0.1_i386.deb Size/MD5: 67248 4b98f735c006d4c348d0a258a16b1dc8 http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.2-8ubuntu0.1_i386.deb Size/MD5: 28028 92d2b0b2eb1219940782828cb37e16be powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.2-8ubuntu0.1_powerpc.deb Size/MD5: 124626 5509ddf56e9651daa3cee6885e759ca0 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.2-8ubuntu0.1_powerpc.deb Size/MD5: 554794 99075d036528f230cee341f10d4a35be http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.2-8ubuntu0.1_powerpc.deb Size/MD5: 59420 1fb7f8ac2320ffd7ffc5e2b2b79452f2 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.2-8ubuntu0.1_powerpc.deb Size/MD5: 50962 d314814467eb35380d11b9664314511b http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.2-8ubuntu0.1_powerpc.deb Size/MD5: 27662 c4a076b92af1479307d3b76c6d4d7d01 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.2-8ubuntu0.1_powerpc.deb Size/MD5: 86594 083e5c9a268a7583b8993be9188f6afc http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.2-8ubuntu0.1_powerpc.deb Size/MD5: 30830 7355d8b04d7e795009393cb8b569dc6f Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1.diff.gz Size/MD5: 245407 99c109587b63f09e215e959ba9f5e95b http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1.dsc Size/MD5: 847 396906a893ee422a2af0232315c654fa http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3.orig.tar.gz Size/MD5: 1772513 9fd126e5dff51cc8c1eee223c252a4af Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/ldirectord_1.2.3-3ubuntu1.1_all.deb Size/MD5: 44484 77c0b44340fbca9ecb65d55028325c4e amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.3-3ubuntu1.1_amd64.deb Size/MD5: 125228 ca0d487242ea6e86f8a846727e6de55a http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1_amd64.deb Size/MD5: 532922 8a5c3db33bea01d6c39bb0a011d63099 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.3-3ubuntu1.1_amd64.deb Size/MD5: 60900 4f423088204ee30724343bfdf8980026 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.3-3ubuntu1.1_amd64.deb Size/MD5: 51590 15d3138654f905058b3eb97b3e0c600a http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.3-3ubuntu1.1_amd64.deb Size/MD5: 29080 c9a1f9dae5b6a68af490648c3bda9e98 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.3-3ubuntu1.1_amd64.deb Size/MD5: 79356 92971fe256772e7d22bbab96aebe0739 http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.3-3ubuntu1.1_amd64.deb Size/MD5: 30104 ea892aca4dbcab2e0bb0463e659c15d3 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.3-3ubuntu1.1_i386.deb Size/MD5: 114652 2f43f3c91dca4c8146e0ded33a1987d0 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1_i386.deb Size/MD5: 489472 7b0e97cfaa9ec04a4f0ef1d73c152739 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.3-3ubuntu1.1_i386.deb Size/MD5: 57054 94ed42ccdd478566639b313c1bd3e89e http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.3-3ubuntu1.1_i386.deb Size/MD5: 46570 1d8dd224a5404345991e9ca2b8a91f88 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.3-3ubuntu1.1_i386.deb Size/MD5: 28662 88444bfcfbc3a2b9e1775b024f4c54cd http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.3-3ubuntu1.1_i386.deb Size/MD5: 69064 10e1b3e16c7109003e9818ebde63f190 http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.3-3ubuntu1.1_i386.deb Size/MD5: 29504 3d8dd26a1fd9c9de1dea642149d69b34 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat-dev_1.2.3-3ubuntu1.1_powerpc.deb Size/MD5: 126700 e620900665670a81d4207aeac7f22884 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/heartbeat_1.2.3-3ubuntu1.1_powerpc.deb Size/MD5: 556882 5113b635cf969850b3d93eac7c1d8569 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils-dev_1.2.3-3ubuntu1.1_powerpc.deb Size/MD5: 60954 97e504b49ee9f55e8d9303d044556ee6 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libpils0_1.2.3-3ubuntu1.1_powerpc.deb Size/MD5: 52598 d8a41f8b60a0f8dc9b6c2c9300b0ba7d http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith-dev_1.2.3-3ubuntu1.1_powerpc.deb Size/MD5: 29228 24ec82b2761d1d0561a0fe1b58adf4a3 http://security.ubuntu.com/ubuntu/pool/main/h/heartbeat/libstonith0_1.2.3-3ubuntu1.1_powerpc.deb Size/MD5: 88814 5547291ce0b56e1683425136b22b6934 http://security.ubuntu.com/ubuntu/pool/universe/h/heartbeat/stonith_1.2.3-3ubuntu1.1_powerpc.deb Size/MD5: 32386 0613b29df54ab3a4f2e41e492de58f82 [ Part 2, "Digital signature" Application/PGP-SIGNATURE ] [ 196bytes. ] [ Unable to print this part. ]